APT攻击—WHAT IS AN ADVANCED PERSISTENT THREAT (APT)?（高级持续威胁）

本文介绍: 高级持续性威胁（APT）是一种复杂的、持续的网络攻击，入侵者在网络中建立未被发现的存在，以便在很长一段时间内窃取敏感数据。APT 攻击经过精心策划和设计，旨在渗透到特定组织、逃避现有安全措施并在雷达下飞行。与传统攻击相比，执行 APT 攻击需要更高程度的定制和复杂性。攻击者通常是资金雄厚经验丰富的网络犯罪团队他们以高价值组织为目标。他们花费了大量的时间和资源来研究和识别组织内的漏洞。Hack t i vi smAPT 的目标分为四大类网络间谍活动，包括盗窃知识产权或国家机密以谋取经济利益的电子犯罪。

Wha t i s an Ad v ance d Pe rs i stent Th re a t?

An advanced persistent t h re a t (APT) i s a s op h i s t i cated, sust a ined cyberattack in wh i ch an int rude r es tab li shes an undetected presence in a network in order to steal sensiti ve data over a pro longed period of time. An APT attack is c arefully planned and designed to infiltrate a specific organization, evade existin g security measu res and fly under the rad ar.

Execut in g an APT attac k req ui res a higher degree of customization and so p histicat ion than a traditional attac k. Adversaries are typi cally well-funded, experienced teams of cybercriminals that target high-value organizations. They’ve spent significant time and resources research ing and identifying vulnerabi lities within the organization.

什么是高级持续性威胁？

高级持续性威胁（APT） 是一种复杂的、持续的网络攻击，入侵者在网络中建立未被发现的存在，以便在很长一段时间内窃取敏感数据。APT 攻击经过精心策划和设计，旨在渗透到特定组织、逃避现有安全措施并在雷达下飞行。

与传统攻击相比，执行 APT 攻击需要更高程度的定制和复杂性。攻击者通常是资金雄厚、经验丰富的网络犯罪团队，他们以高价值组织为目标。他们花费了大量的时间和资源来研究和识别组织内的漏洞。

The goals of APTs fall into four general categories:

Cyber Espi onage, including theft of int ellectual property or state secrets
eCrime for financial gain
Hacktivism
Destruction

APT 的目标分为四大类：

网络间谍活动，包括盗窃知识产权或国家机密

以谋取经济利益的电子犯罪

黑客行动主义

破坏

What are the 3 Stages of an APT Attack?

To pr event, detect and resolve an APT, you must recognize its characteristics. Most APTs follow the same basic li fe cycle of infiltrating a network, expanding access and ach ie ving the goal of the attack, which is most com m only stealing data by extracting it from the network.

APT 攻击的 3 个阶段是什么？

要预防、检测和解决 APT，您必须识别其特征。大多数 APT 遵循相同的基本生命周期，即渗透网络、扩大访问范围并实现攻击目标，最常见的是通过从网络中提取数据来窃取数据。

Stage 1: Infiltration

In the first phase, advanced persistent threats often gain access through so cial engineering techniques. One indication of an APT is a phishing email that selectively targets high-level indiv iduals like senior executives or technology leaders, often using information obtained from other team members that have already been com promised. Email attac ks that target specific individuals are called “spear-phishing.”

The email may seem to come from a team member and include references to an ongoing project. If several executives repo rt being duped by a spear-phishing attack, start looking for other signs of an APT.

第 1 阶段：渗透

在第一阶段，高级持续性威胁通常通过社会工程技术获得访问权限。APT 的一个迹象是网络钓鱼电子邮件，该电子邮件有选择地针对高级管理人员或技术领导者等高级个人，通常使用从其他团队成员那里获得的信息，这些信息已被泄露。针对特定个人的电子邮件攻击称为“鱼叉式网络钓鱼”。

该电子邮件可能似乎来自团队成员，并包含对正在进行的项目的引用。如果几位高管报告被鱼叉式网络钓鱼攻击欺骗，请开始寻找 APT 的其他迹象。

Stage 2: Escalation and Lateral Mov ement

Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion. They move laterally to map the network and gather credentials su ch as account names and passwords in order to access critical business information.

They may also estab li sh a “backdoor” — a scheme that allows them to sneak into the network later to conduct ste alth operations. Additional entry points are often estab li shed to ensu re that the attack can continue if a com promised point is discovered and closed.

第 2 阶段：升级和横向移动

一旦获得初始访问权限，攻击者就会将恶意软件插入组织的网络，以进入第二阶段，即扩展。它们横向移动以映射网络并收集凭据（如帐户名和密码），以便访问关键业务信息。

他们还可能建立一个“后门”——一个允许他们稍后潜入网络进行隐身行动的计划。通常会建立额外的入口点，以确保在发现并关闭受感染点时攻击可以继续。

Stage 3: Exfiltration

To prepare for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected. They then extract, or “exfiltrate” it without detection. They may use tactics like a denial-of-service (DoS) attack to dist ract the security team and tie up network personnel while the data is being exfiltrated. The network can remain com promised, waiting for the thieves to return at any time.

第 3 阶段：外泄

为了准备第三阶段，网络犯罪分子通常会将被盗信息存储在网络内的安全位置，直到收集到足够的数据。然后，他们在不被发现的情况下提取或“渗透”它。他们可能会使用拒绝服务（DoS）攻击等策略来分散安全团队的注意力，并在数据泄露时束缚网络人员。网络可能一直受到威胁，等待窃贼随时返回。

Characteristics of an APT Attack

Since advanced persistent threats use different techniques from ordinary hackers, they leave behind different signs. In addition to spear-phishing campaigns that target organization leaders, symptoms of an advanced persistent threat attack include:

Unusual activity on user accounts, such as an increase in high-level logins late at night
Widespread presence of backdoor Trojans
Unexpected or unusual data bundles, which may indicate that data has been amassed in preparation for exfiltration
Unexpected information flows, such as anomalies in outbound data or a sudden, uncharacteristic increase in database operations involving massive quantities of data

APT 攻击的特征

由于高级持续性威胁使用与普通黑客不同的技术，因此它们会留下不同的迹象。除了针对组织领导者的鱼叉式网络钓鱼活动外，高级持续性威胁攻击的症状还包括：

用户帐户上的异常活动，例如深夜高级登录次数增加

后门特洛伊木马的广泛存在

意外或异常的数据包，这可能表明已收集数据以准备外泄

意外的信息流，例如出站数据中的异常或涉及大量数据的数据库操作的突然异常增加

Advanced Persistent Threat Examples

CrowdStrike currently trac ks well over 150 adversaries around the world, including nation-states, eCriminals and hacktivists.

Here are some notable examples of APTs detected by CrowdStrike:

GOBLIN PANDA (APT27) was first observed in Sept ember 2013 when CrowdStrike discovered indicators of attack (IOAs) in the network of a technology company that operates in multiple sectors. This China-based adversa ry uses two Microsoft Word exploit documents with training-related themes to drop mali cious files when opened. Read our full APT profile on Goblin Panda.
FANCY BEAR (APT28), a Russia-based attacker, uses phishing messages and spoofed web sites that closely resemble legitimate ones in order to gain access to conventional computers and mobile devices. Read our full APT Group Profile on Fancy Bear.
Cozy Bear (APT29) is an adversa ry of Russian-origin, asse ssed as likely to be acting on behalf of the Foreign Intelligence Service of the Russian Federation. This adversa ry has been identified leveraging large-volume spear phishing campaigns to deliver an extensive range of malware types as part of an effort to target political, scientific, and national security entities across a variety of sectors. Read our full APT Group Profile on Cozy Bear.
Ocean Buf fa lo (APT32) is a Vietnam-based targeted intrusion adversa ry repo rtedly active since at least 2012. This adversa ry is known to emp loy a wide range of Tactics, Techniques, and Procedures (TTPs), to include the use of both custom and off-the-shelf tools as well as the distribution of malware via Strategic Web Compromise (SWC) operations and spear phishing emails containing malicious attachments.
HELIX KITTEN (APT34) has been active since at least late 2015 and is likely Iran-based. It targets organizations in aerospace, energy, financial, government, hospitality and telecomm uni cations and uses well-researched and structured spear-phishing messages that are highly relevant to targeted personnel. Read the full APT Profile on HELIX KITTEN.
Wicked Panda (APT41) has been one the most prolific and effective China-based adversaries from the mid 2010s into the 2020s. CrowdStrike Intelligence asse sses Wicked Panda consists of a superset of groups involving several contractors working in the interests of the Chinese state while still carrying out criminal, for-profit activities, likely with some form of tacit approval from CCP officials. Read the full APT profile on WICKED PANDA.

高级持续性威胁示例

CrowdStrike 目前跟踪全球 150 多个对手，包括民族国家、电子犯罪分子和黑客行动主义者。

以下是 CrowdStrike 检测到的 APT 的一些值得注意的示例：

GOBLIN PANDA （APT27）于 2013 年 9 月首次被观察到，当时 CrowdStrike 在一家在多个领域运营的科技公司的网络中发现了攻击指标（IOA）。这个位于中国的对手使用两个具有培训相关主题的 Microsoft Word 漏洞利用文档在打开时删除恶意文件。阅读我们在 Goblin Panda 上的完整 APT 个人资料。

FANCY BEAR （APT28）是一家总部位于俄罗斯的攻击者，它使用网络钓鱼消息和与合法网站非常相似的欺骗性网站来访问传统计算机和移动设备。阅读我们关于Fancy Bear的完整APT集团简介。

Cozy Bear （APT29）是俄罗斯血统的对手，被评估为可能代表俄罗斯联邦外国情报局行事。该攻击者已被确定利用大量鱼叉式网络钓鱼活动来提供广泛的恶意软件类型，作为针对各行各业的政治、科学和国家安全实体的努力的一部分。阅读我们关于Cozy Bear的完整APT集团简介。

Ocean Buf fa lo（APT32）是一个总部位于越南的目标入侵对手，据报道至少自2012年以来一直活跃。众所周知，该攻击者采用广泛的策略、技术和程序（TTP），包括使用自定义和现成的工具，以及通过战略 Web 入侵（SWC）操作和包含恶意附件的鱼叉式网络钓鱼电子邮件分发恶意软件。

HELIX KITTEN（APT34）至少从2015年底开始活跃，很可能是伊朗的基地。它以航空航天、能源、金融、政府、酒店和电信领域的组织为目标，并使用与目标人员高度相关的经过充分研究和结构化的鱼叉式网络钓鱼消息。在HELIX KITTEN上阅读完整的APT简介。

从 2010 年代中期到 2020 年代，Wicked Panda （APT41）一直是中国最多产和最有效的对手之一。 CrowdStrike Intelligence 评估说，Wicked Panda 由一组超群组成，其中包括几个承包商，他们为中国政府的利益工作，同时仍在进行犯罪、营利性活动，可能得到中共官员的某种形式的默许。阅读有关WICKED PANDA的完整APT简介。

How do you Protect Against APT Attacks?

There are many cybersecurity and intelligence solutions available to assist organizations in better protecting against APT attacks. Here are some of the best tactics to emp loy:

Sensor Coverage. Organizations must deploy capabilities that provide their defenders with full visibility across their environment to avoid blind spots that can become a safe haven for cyber threats.
Technical Intelligence. Leverage technical intelligence, such as indicators of compromise (IOCs), and consume them into a security information and event manager (SIEM) for data enrichment purposes. This allows for added intelligence when conducting event correlation, potentially highlighting events on the network that may have otherwise gone undetected.
Service Provider. Partnering with a best-of-breed cybersecurity firm is a necessity. Should the unthinkable happen, organizations may require assistance responding to a sophisticated cyber threat.
A Web Appli cation Firewall (WAF) is a security device designed to protect organizations at the application level by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web ap pli cation and the internet.
Threat Intelligence. Threat intelligence assists with threat actor profiling, campaign tracking and malware family tracking. These days, it is more import ant to understand the context of an attack rather than just knowing an attack itself happened, and this is where threat intelligence plays a vital role.
Threat Hunting. Many organizations will find the need for 24/7, managed, human-based threat hunting to accompany their cybersecurity technology already in place.

如何防范 APT 攻击？

有许多网络安全和情报解决方案可以帮助组织更好地防范 APT 攻击。以下是一些最佳策略：

传感器覆盖范围。组织必须部署功能，使其防御者能够全面了解其整个环境，以避免可能成为网络威胁避风港的盲点。

技术情报。利用技术情报，例如入侵指标（IOC），并将其用于安全信息和事件管理器（SIEM）以扩充数据。这允许在进行事件关联时增加智能，从而可能突出显示网络上可能未被发现的事件。

服务提供商。与一流的网络安全公司合作是必要的。如果发生不可想象的情况，组织可能需要帮助来应对复杂的网络威胁。

Web 应用程序防火墙（WAF）是一种安全设备，旨在通过过滤、监控和分析 Web 应用程序和 Internet 之间的超文本传输协议（HTTP）和超文本传输协议安全（HTTPS）流量，在应用程序级别保护组织。

威胁情报。 威胁情报有助于威胁参与者分析、活动跟踪和恶意软件家族跟踪。如今，了解攻击的背景比仅仅知道攻击本身更重要，这就是威胁情报发挥至关重要作用的地方。

威胁搜寻。许多组织会发现，需要 24/7 全天候、托管的、基于人的威胁搜寻来配合他们已经到位的网络安全技术。